ID
VAR-202212-1145
CVE
CVE-2022-46350
TITLE
Cross-site scripting vulnerability in multiple Siemens products
Trust: 0.8
DESCRIPTION
A vulnerability has been identified in SCALANCE X204RNA (HSR) (All versions < V3.2.7), SCALANCE X204RNA (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (HSR) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP) (All versions < V3.2.7), SCALANCE X204RNA EEC (PRP/HSR) (All versions < V3.2.7). The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. This can be used by an attacker to trigger a malicious request on the affected device. 6gk5204-0ba00-2mb2 firmware, 6gk5204-0ba00-2kb2 firmware, 6gk5204-0bs00-2na3 Multiple Siemens products such as firmware contain a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. The SCALANCE X-204RNA Industrial Ethernet Access Points enable non-PRP end devices to be connected to separate parallel networks if required
Trust: 2.16
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | siemens | model: | scalance x204rna eec | scope: | lt | version: | v3.2.7 | Trust: 1.8 |
| vendor: | siemens | model: | scalance x204rna | scope: | lt | version: | v3.2.7 | Trust: 1.2 |
| vendor: | siemens | model: | 6gk5204-0ba00-2mb2 | scope: | lt | version: | 3.2.7 | Trust: 1.0 |
| vendor: | siemens | model: | 6gk5204-0bs00-2na3 | scope: | lt | version: | 3.2.7 | Trust: 1.0 |
| vendor: | siemens | model: | 6gk5204-0ba00-2kb2 | scope: | lt | version: | 3.2.7 | Trust: 1.0 |
| vendor: | siemens | model: | 6gk5204-0bs00-3pa3 | scope: | lt | version: | 3.2.7 | Trust: 1.0 |
| vendor: | siemens | model: | 6gk5204-0bs00-3la3 | scope: | lt | version: | 3.2.7 | Trust: 1.0 |
| vendor: | シーメンス | model: | 6gk5204-0bs00-2na3 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | シーメンス | model: | 6gk5204-0bs00-3pa3 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | シーメンス | model: | 6gk5204-0bs00-3la3 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | シーメンス | model: | 6gk5204-0ba00-2mb2 | scope: | - | version: | - | Trust: 0.8 |
| vendor: | シーメンス | model: | 6gk5204-0ba00-2kb2 | scope: | - | version: | - | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-80 | Trust: 1.0 |
| problemtype: | CWE-79 | Trust: 1.0 |
| problemtype: | Cross-site scripting (CWE-79) [NVD evaluation ] | Trust: 0.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
XSS
Trust: 0.6
PATCH
| title: | Patch for Siemens SCALANCE X-200RNA Switch Devices cross-site scripting vulnerability | url: | https://www.cnvd.org.cn/patchInfo/show/372291 | Trust: 0.6 |
| title: | Siemens SCALANCE Series Fixes for cross-site scripting vulnerabilities | url: | http://123.124.177.30/web/xxk/bdxqById.tag?id=217825 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2022-46350 | Trust: 3.8 |
| db: | SIEMENS | id: | SSA-363821 | Trust: 3.0 |
| db: | ICS CERT | id: | ICSA-22-349-02 | Trust: 1.4 |
| db: | JVN | id: | JVNVU91561630 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2022-023296 | Trust: 0.8 |
| db: | CNVD | id: | CNVD-2022-87969 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202212-3080 | Trust: 0.6 |
REFERENCES
| url: | https://cert-portal.siemens.com/productcert/pdf/ssa-363821.pdf | Trust: 2.4 |
| url: | https://jvn.jp/vu/jvnvu91561630/ | Trust: 0.8 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-46350 | Trust: 0.8 |
| url: | https://www.cisa.gov/news-events/ics-advisories/icsa-22-349-02 | Trust: 0.8 |
| url: | https://cert-portal.siemens.com/productcert/html/ssa-363821.html | Trust: 0.6 |
| url: | https://cxsecurity.com/cveshow/cve-2022-46350/ | Trust: 0.6 |
| url: | https://us-cert.cisa.gov/ics/advisories/icsa-22-349-02 | Trust: 0.6 |
CREDITS
Siemens reported these vulnerabilities to CISA.
Trust: 0.6
SOURCES
| db: | CNVD | id: | CNVD-2022-87969 |
| db: | JVNDB | id: | JVNDB-2022-023296 |
| db: | CNNVD | id: | CNNVD-202212-3080 |
| db: | NVD | id: | CVE-2022-46350 |
LAST UPDATE DATE
2024-08-14T13:16:50.530000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2022-87969 | date: | 2022-12-16T00:00:00 |
| db: | JVNDB | id: | JVNDB-2022-023296 | date: | 2023-11-28T03:13:00 |
| db: | CNNVD | id: | CNNVD-202212-3080 | date: | 2022-12-19T00:00:00 |
| db: | NVD | id: | CVE-2022-46350 | date: | 2022-12-15T20:58:58.180 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2022-87969 | date: | 2022-12-16T00:00:00 |
| db: | JVNDB | id: | JVNDB-2022-023296 | date: | 2023-11-28T00:00:00 |
| db: | CNNVD | id: | CNNVD-202212-3080 | date: | 2022-12-13T00:00:00 |
| db: | NVD | id: | CVE-2022-46350 | date: | 2022-12-13T16:15:25.667 |